Upload
calista-riley
View
24
Download
0
Embed Size (px)
DESCRIPTION
Model Checking I I. How CTL model checking works. CTL. A E X F G U Model checking problem Determine M, s0 f Or find all s s.t. M, s f. Need only E X F G U define others - PowerPoint PPT Presentation
Citation preview
Model Checking II
How CTL model checking works
CTL
A E X F G U
Model checking problemDetermine M, s0 f
Or find all s s.t. M, s f
Need only E X F G Udefine otherse.g.AG p EF pAF p EG p
Explicit state model checking
Option 1 CES (original paper)
Represent state transition graph explicitlyWalk around marking states
Graph algorithms involving strongly connected components etc.
Not covered in this course (cf. SPIN)Used particularly in software model checking
Symbolic MC
Option 2 McMillan et al
because ofSTATE EXPLOSION problem
State graph exponential in program/circuit sizeGraph algorithms linear in state graph size
INSTEADUse symbolic representation of both sets of
statesand of state transtion graph
Symbolic MC
Sets of states formulas
relations between states (BDDs)
Fixed point characerisations of CTL ops
NO explicit state graph
A state
Vector of boolean variables
(v1,v2,v3, …., vn) {0,1}n
Boolean formulas
(x y) z ( is exclusive or)
(1 0) 0 = 1assignment [x=1,y=0,z=0] gives answer 1is a model or satisfying assignment
Write as 101
Exercise: Find another model
Boolean formulas
(x y) z ( is exclusive or)
(1 1) 0 = 0
assignment [x=1,y=1,z=0] is not a model
Formula is a tautology if ALL assignments are models and is contradictory if NONE is.
Boolean formulas
For us, interesting formulas are somewhere in between: some assignments are models, some not
IDEA: A formula can represent a set of states (its models)
{} false {111} x y z {101} x y z {111,101} x z
. . {000,001, … , 111} true
Example
(x y) z represents {100,010,110,111}(x y) z is in form ({100,010,110,111},xyz)
Exercise: Find formulas (with var. names x,y,z) for the sets
{}{100}{110,100,010,000}
Exercise
Find an element ofform({001,010,100},abc)
Will slarva and write form(P,vs) to stand
for a formula representing P and using variables vs
What is needed now?
A good data structure for boolean formulas
Binary Decision Diagrams (BDDs)Akers (IEEE Trans. Comp 78)Bryant (IEEE Trans. Comp. 86, most cited CS
paper!)see also Bryant’s document about a Hitachi patent from
93
McMillan saw application to symbolic MC
Binary Decision Diagrams
Canonical form (constant time comparison)
Polynomial algorithms for ’and’, ’or’, ’not’ etc.
Exponential but practically efficient algorithm for boolean quantification
(Presentation based on lecture notes by Ken McMillan)
Ordered Decision Tree
a
c
d d d d d d d d
c c c
b b
0 0 0 1 0 0 0 1 0 0 0 1 1 1 1 1
ab + cd(ab) (cd)
0 1
0 1 0 1
0 1 0 1 0 1 0 1
To get OBDD
Combine isomorphic subtrees
Eliminate redundant nodes (those with identical children)
Tree becomes a graph
(O)BDDab + cd(ab) (cd)
a
b
c
d
0 1
0
1
0
1
0
0 1
Make BDD for
(x y) z
Combining BDDs
apply algorithm (for building and of two BDDs, or of two BDDs etc.)
v is top variable in either f or gSolve recursively for v=0 and v=1 to get 0 and 1
branches of result nodeDo not create new result node if both brances
equal (return that result) or if equivalent node already exists in reduce table. (The apply function is also memoized.)
Terminates when both f and g constants (1 or 0)
Quantification
b. f is f | b=0 f | b=1
get by replacing each b node by its 0 branch
also have efficient algorithm for quantifying over a set of variables
BDDs
+ Many formulas (and circuits) have small representations
-Some do not! Multipliers- BDD representation of a function can vary
exponentially in size depending on variable ordering; users may need to play with variable orderings (less automatic)
+ Good algorithms and packages (e.g. CUDD)+ EXTREMELY useful in practice- Size limitations a big problem
Exercise revisited
Find a BDD for your
form({001,010,100},abc)
Lattice
{000,001, …. , 110, 111}
.
.
{000,001} {000,010} {110,111}
{000} {001} {010} . . . . {110} {111}
{}
form({},v) false
form(PQ,v) form(P,v) form(Q,v)
form(PQ,v) form(P,v) form(Q,v)
R set of pairs of states
p Image(P,R)
{t s s P s R t}
R
R
RR
Forward image
p {t s s P s R t}
form(Image(P,R),v’) = v form(P,v) form(R,(v,v’))
R
R
RR
Image(P,R)
Backward image
{s t t Q s R t}
form(Image-1(Q,R),v) = v form(Q,v’) form(R,(v,v’))
R
R
RR
Q
Symbolic MC of CTL
Compute set of states satisfying a formula recursively (and use BDDs as rep.)
consider E cases define others
e.g.AX p EX pA (p U q) ?
CTL formula f H(f) set of states satisfying f
a (atomic) L(a) (cf. Lars)
p S – H(p)p q H(p) H(q)
P q ?
EX p familiar ?
CTL formula f H(f) set of
states
satisfying f
P q H(p) H(q)
EX p Image-
1(H(p),R)
Remaining operators
Fixed point characterisation
EF p p EX (EF p)
least fixed point
Fixed points
f : set of S -> set of S
Monotonic x y => f(x) f(y)
Fixed point y s.t. f(y) = y
Fixed points
monotonic f has
Least fixed point y. f(y) [lfp y. f(y)]
Greatest fixed point y. F(y) [gfp y. F(y)]
Lattice again
{000,001, …. , 110, 111}
.
.
{000,001} {000,010} {110,111}
{000} {001} {010} . . . . {110} {111}
{}
Lattice (S finite)
S
.
.
{}
Fixed points
{} f({}) f(f({})) f(f(f({}))) ….Limit is the least fixed point y. f(y)
S f(S) f(f(S) f(f(f(S))) ….Limit is greatest fixed point y. f(y)
CTL
EF p p EX (EF p)
H(EF p)
= y. H(p) H( EX y)
= y. H(p) Image-1(y,R)
Fixed point iteration
S0 = H(p)
Si+1 = H(p) Image-1(Si,R)
Fixed point iteration
P
Fixed point iteration
p EX (p EX p)
P
Fixed point iteration
Evetually stops!
P. . . .
Concrete example
000 100 110 111
001 101 010 011
Concrete example
000 100 110 111
001 101 010 011
0
1
2
3
4 6 7
5
EF p p = dreq q0 dack
and
and
or
dreq
q0
dack
EG
EG p p EX (EG p)
H(EG p)
= y. H(p) Image-1(y,R)
EG
EG p p EX (EG p)
H(EG p)
= y. H(p) Image-1(y,R)
NB: We can do all of these operations using BDDs to represent the sets
Fixed point interationin the other direction
P
Fixed point interationin the other direction
P
p EX p
Fixed point interationin the other direction
P
p EX (p EX p)
Fixed point interationin the other direction
p
p EX (p EX p)
….
Concrete example
000 100 110 111
001 101 010 011
0
1
2
3
4 6 7
5
EG p p = (dreq q0 ) dack
EU
E (p U g) q (p EX (E (p U g) )
H(E (p U g) )
= y. H(q) (H(p) Image-1(y,R))
Exercise: define H (A(p U q))
All done with BDDS!
Glad påsk